Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

how to isolate a VM (Meraki + VMware)

cabricharme
Getting noticed
yesterday
yesterday

how to isolate a VM (Meraki + VMware)

How does one isolate (air-gap) a VMware VM yet allow it to print, using a Meraki stack?

 

Ideally in a series of easy-to-follow steps vs. "go RTFM".

 

(Trying to translate documentation - e.g. Switch ACL Operation - and related threads - e.g. Isolate vlan from all other vlans! - into actual configuration steps.)

 

  • The task is to "air-gap" a VMware (ESXi / vCenter) VM yet allow it to print to a physical printer on a network. The printer can be dedicated to the task, i.e. it does not have to be shared with any other devices for printing.
  • The VM is a P2V'd Windows Server 2000 machine (presumably vulnerable, presumably even running malware) running an old LoB application that occasionally needs to be accessed and records from it - printed out.

 

The stack is MX100 with MS switches, a few ESXi 7 servers, vCenter 7.

 

So far the plan is:

  • VMware:
    • Create a vSwitch (vCenter / ESXi), set it to a unique VLAN that's not used elsewhere. E.g. 2001.
      • do not (yet) connect the VM's NIC to it: the VLAN is not fully isolated yet - not until the MX is configured to stop almost all of the traffic flow to/from it
  • Meraki MX:
    • Connect a network printer to a Meraki switch port, "access" type, VLAN 2001, port isolation: disabled (no point given port isolation won't stop traffic flow within the vSwitch, or between VLANs?)
    • Create a "deny everything" Group Policy, name it something like "VLAN 2001 printing only"
    • Create a new VLAN on the MX ("Security & SD-WAN" -> "Addressing & VLANs" -> "Routing" -> "Add VLAN",
      • give it a non-routable subnet with the smallest range possible (e.g. "VLAN interface IP" of 10.201.0.128, Subnet 10.201.0.128/30, then give the VM and the printer .129 and .130 IPs)
      • assign the above group policy to it
  • Now connect the VM's NIC to the vSwitch configured above, configure IPs on the printer and the VM, try pinging the printer's IP from VM, confirm no ICMP response
    • create an "allow" rule in the GP configured above allowing ICMP traffic from the VM to the printer (and back?)
    • try pinging again, confirm it's working
    • modify the "allow" rule configured above to include TCP/UDP traffic
    • testing printing

 

Do the above steps do what's needed, to fully isolate the VM with the exception of talking to a printer? Did I miss anything obvious (or not so obvious)?

 

Thank you!

Labels:
0 Kudos
Subscribe
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Create a security rule denying any and above of this rule create rules for what you want to allow.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
cabricharme
Getting noticed
yesterday
yesterday

@alemabrahao wrote:

Create a security rule denying any and above of this rule create rules for what you want to allow.

Thank you. Which question are you answering with this?

 

This is the main one:

 

 

How does one isolate (air-gap) a VMware VM yet allow it to print, using a Meraki stack?

 

Ideally in a series of easy-to-follow steps vs. "go RTFM".

(Highlighting mine.)

 

This is the follow-up one:

Do the above steps do what's needed, to fully isolate the VM with the exception of talking to a printer? Did I miss anything obvious (or not so obvious)?

(It's two questions - yet both still boiling down to, "did I miss anything?")

 

Thanks again - and apologies for needing precision and well defined steps as opposed to "being pointed in the right direction".

0 Kudos
Subscribe
In response to cabricharme
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Don't you know how to create a L3 security rule?

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#Outbound_rules

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
cmr
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Does the host have any free network ports?

 

If so connect the VM to a VMware switch that maps to that port.  On the switches create two access ports on the new VLAN, don't create an interface for it.  Connect the host NIC to one port and the printer to the other.

 

No risk of traffic getting outside of that.

Subscribe
In response to cmr
thaack
Getting noticed
yesterday
yesterday

Right - or USB passthrough was my second thought. No idea what support for that looks like on Server 2000 though...

 

My other thought is do users need to access this server? If so, OP's proposed solution will not work, and the server will only be accessible through VMRC...

Subscribe
Brash
Kind of a big deal
Kind of a big deal
yesterday
yesterday

If the printer is dedicated to this VM, there's really no need to create a VLAN interface on the MX.

You can simply setup a new VLAN on the vSwitch, configure that VLAN on the trunk ports on the switches through the network to the switch where the printer is connected and configure the printer port as an access port in that VLAN.

Don't set any default gateway on either the printer or the computer and you're good to go. Those devices will not be able to communicate with anything outside of that VLAN.

 

The only 'risk' of this is VLAN bleeding if someone misconfigures the network in the future. To minimize that, you can add switch ACL's to allow on the specific communication (IP's and ports) on that VLAN and deny all other communication from those hosts.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.